Loading...

We will contact you

GET STARTED

Fill in the form and we will contact you shortly.

How the SCA exemptions work

Hero How Sca Exemptions Work Hero How Sca Exemptions Work Placehoder

From September 14, Strong Customer Authentication (SCA) will be required for all electronic payments within the EU. However, the new payment service directive, PSD2, also allows certain exemptions from the SCA requirement. Here is a short description of how the exemptions will be handled and what new response codes the card issuers will use.

One important ground rule of SCA is that the decision to allow an exemption is always made by the card issuing bank . As a merchant, this means that you yourself can’t decide if an exemption should be applied or not. In our previous articles on this subject you can read more about the specific exemptions that are available for in-store and online transactions.

Online card payments

With 3D Secure 2.0
The card networks have decided to use the security protocol 3D Secure to handle SCA for any purchase made with their cards. By using the new version of this protocol, 3D Secure 2.0, your acquirer has the option to include a request for an SCA exemption when the card is being authenticated.

3D Secure 2.0 allows over 100 data points to be sent along with the authentication data. When the issuer receives this data they can choose to either approve or decline the exemption request. If the exemption is approved the customer can make a “frictionless” purchase, without SCA. If the exemption is declined the customer is instead asked to perform SCA directly in the payment window.

The use of these exemptions also affects liability in the case of fraudulent transactions. If the issuer approves an exemption that is requested by the acquirer it is the acquirer and merchant who are liable if the transaction is fraudulent. The issuer can also choose to exempt a transaction from SCA without a request from the acquirer. In this case the issuer will be liable for any fraud.

Without 3D Secure 2.0
Merchants and acquirers who don’t support 3D Secure 2.0 also have the possibility to request exemptions from the SCA requirement. In these cases the acquirer instead sends the request along with the authorization of the transaction. If this exemption is approved the customer can carry out a “frictionless” purchase, just as with 3D Secure 2.0. But if this exemption is denied the issuer will instead respond to the authorization with a code that means “authentication required”. The customer is then redirected to an external page to perform SCA with 3D Secure 1.0. If the merchant does not support 3D Secure 1.0 the transaction will be declined.

New response codes
The new response codes for “authentication required” look a little different depending on what network the card belongs to. Mastercard use the code 65, Visa’s code is 1A and if the transaction is processed through Evry the code O5 will be used. In the merchant’s reporting these response codes can look like denied transactions but what they actually mean is that the transaction has been funneled back to the authentication part of the process and that the customer has to perform SCA before the issuer can authorize the purchase. Because of this, the use of “authentication required” response codes can lead to a decline in certain KPIs for approved transactions, such as Gross Acceptance Rate, without impacting actual sales. If you use 3D Secure 2.0 this wont happen since the request is done directly in the authentication of the card.

Instore card payments

For instore card payments, customers only have to enter the card’s PIN number to fulfill the SCA requirement. The most important exemption from this rule will be for contactless transactions. This exemption means that contactless transactions, without PIN, can be done as long as the amount of the purchase is less than 50 €. The exemption is also limited so that customers have to enter their PIN after five such transactions, or if the total amount of their contactless transactions is more than 150 €.

New response codes
When contactless transactions are not exempted from the SCA requirement customers will be asked to authenticate themselves by entering their PIN numbers. This is done by the issuer sending back a response code that varies depending on the card network, just as with online exemptions. Visa uses the response codes 1A and 70, Mastercard uses the response code 65 and if the transaction is processed through Evry the code O5 will be used.